2 * as user cmd [arg...] - run cmd with args as user on this cpu server.
3 * must be hostowner for this to work.
4 * needs #¤/caphash and #¤/capuse.
12 #include "authcmdlib.h"
14 extern int newnsdebug;
16 char *defargv[] = { "/bin/rc", "-i", nil };
17 char *namespace = nil;
19 int becomeuser(char*);
24 fprint(2, "usage: %s [-d] [-n namespace] user [cmd [args...]]\n", argv0);
33 if(a[0][0] != '/' && a[0][0] != '#' &&
34 (a[0][0] != '.' || (a[0][1] != '/' &&
35 (a[0][1] != '.' || a[0][2] != '/'))))
36 exec(smprint("/bin/%s", a[0]), a);
38 sysfatal("exec: %s: %r", a[0]);
42 main(int argc, char *argv[])
49 namespace = EARGF(usage());
58 if(becomeuser(argv[0]) < 0)
59 sysfatal("can't change uid for %s: %r", argv[0]);
60 if(newns(argv[0], namespace) < 0)
61 sysfatal("can't build namespace: %r");
71 * create a change uid capability
74 mkcap(char *from, char *to)
83 fd = open("#¤/caphash", OCEXEC|OWRITE);
87 /* create the capability */
90 cap = malloc(nfrom+1+nto+1+sizeof(rand)*3+1);
92 sysfatal("malloc: %r");
93 sprint(cap, "%s@%s", from, to);
94 genrandom(rand, sizeof(rand));
95 key = cap+nfrom+1+nto+1;
96 enc64(key, sizeof(rand)*3, rand, sizeof(rand));
98 /* hash the capability */
99 hmac_sha1((uchar*)cap, strlen(cap), (uchar*)key, strlen(key), hash, nil);
101 /* give the kernel the hash */
103 if(write(fd, hash, SHA1dlen) < 0){
118 fd = open("#¤/capuse", OWRITE);
121 rv = write(fd, cap, strlen(cap));
127 becomeuser(char *new)
132 cap = mkcap(getuser(), new);